Expensive malware appears for Microsoft's Windows Mobile

Malware embedded into legitimate-looking games designed for Windows Mobile has appeared, automatically dialing up foreign telephone services to ring up hundreds of dollars in illicit charges for users behind their backs.

The discovery, reported by John Hering of the Lookout security firm, was covered in a report by Reuters, which inaccurately described the malware a "virus" and misleadingly referred to the exploit as being orchestrated by "hackers."

In reality, the malware was simply the product of malicious mobile software developers who misrepresented their work as safe, and distributed it through "sites that provide legitimate software for mobile devices."

No malware for iPhone, despite its market share

The fraudulent mobile software for Microsoft's smartphone platform punctuates the warnings Apple has been sounding about security-free software distribution, and underlines why the company has maintained a strict policy that forces iPhone mobile developers to get their work approved by and cryptographically signed for distribution by Apple itself.

Critics have chafed at Apple's secure software signing model and have praised Google's alternative Android model, which enables users to download software from any source, without any security model in place, at their own risk.

The appearance of malware on Windows Mobile is particularly interesting because the motivation of this assault was entirely financial. That being the case, the fact that the malicious developers targeted Windows Mobile, which is almost entirely limited to the US and now trails Symbian (42%), RIM (21%), and Apple's iPhone OS (15%) in market share (9% over the last year), throws decades of Windows-based punditry on its head because "malicious hackers" supposedly only target the largest platform.

Mobile security evolving

Symbian, long the global leader in smartphones, was actually targeted by Cabir, one of the first real viruses to spread among smartphones. However, that discovery lead to a stronger push for platform security, which resulted in support for mandatory code signing in the Symbian OS 9.

RIM also includes code signing in its BlackBerry SDK, a model Apple followed and expanded upon with a much less expensive code signing program and app approval process than those that were in place at Symbian and RIM when the iPhone 2.0 SDK and iTunes App Store debuted two years ago.

Like Android, Windows Mobile offers some optional code signing capabilities but does not enforce these, enabling users to find and install software without any proof of its security or legitimacy. Both also therefore have no mechanism for killing an app that goes rogue after it has been distributed.

So far, Apple has never revoked a developer's certificate or killed an active app installed by users, even for apps it has retroactively removed from the App Store for reasons other than being malware. Apple has pulled apps from iTunes that have violated its privacy policies in invasive but not malicious ways until the developer addressed the issues.

iPhone security features deter malware

Just the fact that Apple has a real security policy in place for iPhone mobile software in its iTunes App Store serves as a strong deterrent for rogue developers from even attempting to distribute malicious iPhone OS software like the tainted games discovered for Windows Mobile.

Jim Finkle, writing for Reuters, claimed that "hackers are increasingly targeting smartphone users as sales of the sophisticated mobile devices have soared with the success of Apple Inc's iPhone and Google Inc's Android operating system," but in reality, any attacks aimed at iPhone users are not software based expressly because of Apple's strict security policy, and must be limited to social engineering exploits that prey upon people directly, rather than infecting their devices with malware.

Android users (just like Mac and Windows users) have no similar security protection in place, and should be very careful about downloading software, even from legitimate appearing websites. Unlike desktop malware, which is somewhat limited in the scope of damage it can cause, mobile malware has the ability to rapidly run up very expensive mobile bills for weeks before the user is likely to even notice a problem.